The cyber world is full of would-be extractors of our bank account data. Banks and their regulators recognised cyber risk as a major threat decades ago and have built an elaborate ecosystem of protections against it. Regulated banks are strictly limited in how they store customers’ data. They are required to have multiple lines of defence against security breaches, subject to independent audit and review by government supervisors.
But as the Equifax data breach highlights, other entities, such as credit reporting agencies, reside outside this system. The protection they offer is only as good as their managements’ vigilance, and that is often lacking.
Given the relative success of bank cyber regulation, why would we want to provide new points of penetration? That is the question presented by the Second Payments Services Directive, or PSD2, being implemented in the UK and EU. The goal is to increase competition, lower costs and foster innovation in the bank-dominated payments system. But its impact on the security of customer bank accounts requires more thought, particularly in light of the Equifax hack.
Under PSD2, two new species of third-party providers will have direct access to bank accounts: payment providers and account information aggregators. The latter will be able to amass large databases of transaction data making them a juicy target for hackers.
Regulators have tried to address potential security risks created by PSD2. Today, many nonbank companies already gain direct access to accounts by convincing consumers to give them their security credentials. The new rules in Europe and the UK will require such companies to register with regulators and subject them to oversight. Importantly, in the UK, the Financial Conduct Authority will start requiring these players to access account information through a special interface instead of obtaining a customer’s username and password, narrowing their access to data relevant to their services. If a third-party provider is hacked, crooks may still be able to access customers’ funds, but will not be able to obtain the customers’ security credentials to sell on to others. These measures will enhance cyber security, but many other aspects of PSD2 could still compromise it.
When financial institutions have been hacked, it has frequently occurred through a third party. So supervisors require banks to take a proactive role in ensuring that loan servicers, for example, have the same level of protection for sensitive customer information that applies to the bank. However, because payment providers and account aggregators are bank competitors, PSD2 limits banks’ ability to make discriminatory judgments, or impose contractual obligations on them. But this will inhibit a bank’s ability to take preventive measures if it has security concerns. It is unclear if the third party is even obliged to notify a bank if they experience a security breach.
Similarly, out of concerns about competition, banks will have no clear authority to contact customers to verify provider authorisations, even though regulators have long encouraged banks to scrutinise any suspected unauthorised access or use of customer data. Monitoring for fraud will be hampered because customers may no longer interact with banks directly. No longer able to see and understand how customers are using their accounts, they will be hard put to identify red flags.
And then there is financial capacity. Regulators in the UK and EU have said that third-party providers will be financially responsible for unauthorised withdrawals directed by their systems. But will they have the resources to pay? While banks are subject to meaningful capital requirements, UK and EU regulators will impose none on the aggregators and a paltry €50,000 for payment providers. The amount and availability of insurance against consumer losses remains an open question. Moreover, financial obligations seem only to extend to unauthorised withdrawals. Consumers could be on their own in dealing with other harm, such as identity theft and damaged credit.
Done right, open data access promises more convenient, lower cost financial services for consumers. If banks want to survive, they need to compete. Many are. But if they are relegated to absorbing the back-office costs of making the payments system safe while internet companies freely siphon their customers’ data, the current regulated system may be disrupted out of existence. Government policy should support a new ecosystem where technology enjoys a symbiotic relationship with banking, not act as an invasive species.